Translate This Blog

4/2/09

The latest version of Conficker has undergone its much-anticipated update Wednesday, April 1, but has thus far remained inactive, leaving security researchers to ponder what is next for the notorious Internet worm.

"Nobody knows what the motive is other than to create a botnet," said Randy Abrams, director of technical education for security company ESET. "At this point, all we can do is speculate."

The newly refreshed Conficker computer worm, which has thus far incorporated millions of computers in a global botnet, evolved Wednesday with a changed domain generation algorithm that opens up unfettered communication to 500 of the 50,000 potential newly generated domains. The latest variant, Conficker C, now has the ability to contact its command and control centers for further instructions while circumventing interference from the security community, which up until now had been able to block communication with its parent domains.

So far, Conficker's update has come to pass silently, leaving many to wonder what will happen next.

"Much speculation has happened," said Stephan Chenette, Websense labs manager. "What ended up happening has so far been nothing. So far it's been kind of a dud."

But that doesn't mean that the worm will remain dormant, Chenette said. Security experts say that April 1, or April Fools' Day, has historically been a day when malware authors launch attacks. Chenette said that while Conficker's update occurred April 1, an attack could be imminent.

"April 1 is a special event. What bigger joke could malware authors play than something on April 2 or April 3?" he said.

Specifically, Conficker C is the latest variation of malware exploiting a vulnerability in the way Microsoft (NSDQ:MSFT)'s Server Service handles RPC requests. Microsoft issued an emergency out of band patch in October 2008 when the exploit was detected, but was too late to prevent the worm's rapid spread.

Since October, the initial versions of the worm, Conficker A and B, made history with their ability to replicate quickly, rapidly infecting millions of machines with sophisticated techniques that ranged from brute force password guessing to transmission via USB sticks and peer-to-peer file sharing.

The previous version did not have the same self-replication powers as its predecessors but instead contained a unique ability to disable Windows Automatic Updates and Windows Security Center while blocking user access to numerous antivirus vendors' Web sites and evading security products. In addition, the previous version also was notorious for its ability to patch its own vulnerability once it infected a machine, possibly to keep other strains of competing malware from occupying the same space.

Chenette said that the chances were strong that Conficker's authors were waiting until the publicity died down before using the botnet for some kind of future criminal activity, such as a spam campaign or a denial of service attack. In the meantime, it was likely that Conficker would be used to infect more machines.

"Something is going to happen, we're all certain," Chenette said, adding that the latest worm update could serve purpose. "That purpose could be for sending spam or a denial of service attack. That purpose could be something much greater. We know it's going to be for monetary gain."

Other security experts, however, speculated that the Conficker worm could be an elaborate prank, or used to disguise a smaller targeted attack with the majority of its victims being used as a "smokescreen."

"All they'd need was a few machines achieving their goal and the rest is a smokescreen. And there's a lot of smoke," ESET's Abrams said, adding, "Why go to the trouble of creating a botnet if you don't use it?"

Abrams said that the Conficker worm posed much less of a security threat than many other types of malware, and that much of the wild speculation regarding the future of the worm will probably be irrelevant.

"I don't think it's a significantly larger threat than any of the large bots that are out there. Any other bot can update itself with evolutionary code that can be as significant as Conficker's," he said.

Instead, Abrams said that users should focus on overall security, which includes keeping Windows systems patched and installing up-to-date antivirus and firewall products, as well as disabling Windows Autorun.

"The people that are looking at overall security aren't going to be distracted by [Conficker]," Abrams said. "If you're worrying about how to prevent all those other threats that are out there, then you've already taken care of Conficker."